Ad Vital, Inc. ("Ad Vital") provides an electronic medical record platform to U.S. medical practices. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with our website at advitalmd.com and our platform at app.advital.app (the "Services"). It is designed to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the California Consumer Privacy Act ("CCPA"), and applicable state privacy laws.
01.Scope of This Policy
This Policy applies to (a) visitors to our public marketing website; (b) prospective customers who contact us; (c) Authorized Users of customer practices who access the platform; and (d) patients of customer practices whose health information is processed through the platform. Ad Vital's processing of patient health information is governed primarily by the Business Associate Agreement we execute with each customer practice.
02.Our Role: Business Associate
With respect to electronic protected health information (ePHI), Ad Vital is a Business Associate of each customer practice (the "Covered Entity") under HIPAA. We process ePHI only as permitted by our Business Associate Agreement with the Covered Entity and as necessary to provide the Services. We do not own ePHI and we do not use it for any purpose other than providing the Services and complying with law.
03.Information We Collect
From customer practices and Authorized Users. Account information (name, email, role, NPI, DEA where applicable), authentication credentials, billing information, and platform activity logs.
From patients of customer practices, on the practice's behalf. Demographic information, contact information, insurance information, clinical history, allergies, medications, vitals, photographs, consent forms, and prescriptions written by the prescriber. This information is treated as ePHI under HIPAA.
From website visitors. IP address, browser and device characteristics, pages viewed, referring URL, and cookie identifiers. We use a privacy-respecting analytics provider that does not set cross-site tracking cookies.
04.How We Use Information
We use information to (a) provide, maintain, and improve the Services; (b) authenticate users and prevent fraud; (c) transmit prescriptions through DoseSpot to the patient's chosen pharmacy on the Surescripts network; (d) generate AI-assisted clinical documentation from voice input that the prescriber explicitly initiates; (e) send service-related communications; (f) bill subscriptions; and (g) comply with legal obligations. We do not sell ePHI. We do not use ePHI for advertising. We do not train third-party AI models on ePHI.
05.When We Share Information
We share information only as necessary to provide the Services or as required by law: (a) with subprocessors who provide hosting, e-prescribing, voice transcription, and e-fax delivery, each of whom is bound by a Business Associate Agreement; (b) with the pharmacy selected by the patient at the point of care, in order to fulfill a prescription; (c) with regulators or law enforcement when required by valid legal process; and (d) in connection with a corporate transaction, subject to continued HIPAA protections. We do not sell or rent personal information.
06.Patient Rights Under HIPAA
Patients have the right under HIPAA to access, amend, and receive an accounting of disclosures of their ePHI. Because Ad Vital acts as a Business Associate of the Covered Entity (the patient's practice), patients should direct these requests to their healthcare provider. Ad Vital will support the Covered Entity in responding to patient requests in accordance with HIPAA timelines. California, Colorado, Texas, Virginia, and other state-law residents may have additional rights, including the right to know, delete, and correct certain personal information, and the right not to be discriminated against for exercising those rights.
07.Security Safeguards
Ad Vital implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule and recognized frameworks including SOC 2 and NIST 800-53. Safeguards include AES-256 encryption at rest, TLS 1.2+ in transit, role-based access control, mandatory multi-factor authentication for prescribers, immutable audit logs, annual penetration testing, vulnerability scanning, employee background checks, security training, and a documented incident-response program. EPCS controlled-substance prescribing additionally complies with 21 CFR Part 1311, including identity proofing, two-factor authentication using FIPS-validated factors, and digital signing of every controlled-substance prescription.
08.Data Retention
Ad Vital retains ePHI for as long as the Covered Entity maintains its subscription, plus any period required by the Business Associate Agreement and applicable medical record retention laws. Upon termination, ePHI is returned to the Covered Entity or securely destroyed in accordance with the BAA and NIST SP 800-88 media-sanitization guidance. Marketing-site analytics data is retained for thirteen (13) months.
09.International Data Transfers
Ad Vital stores ePHI in U.S.-based data centers operated by SOC 2 / ISO 27001 certified cloud providers. Personnel may access ePHI only from approved jurisdictions and only as necessary to provide support; access is logged and audited.
10.Children's Privacy
The Services are not directed to children under 13. Pediatric ePHI processed on behalf of a Covered Entity is governed by the BAA and applicable parental-consent requirements of the Covered Entity.
11.Marketing Site Visitors
On our marketing website we use a self-hosted, cookie-free analytics tool that records aggregate page-view counts and referrers without cross-site tracking. We do not run third-party advertising trackers on this website. Forms you submit (e.g., demo requests) are stored in our CRM and used solely to respond to your inquiry.
12.Changes to This Policy
We may update this Policy from time to time. Material changes will be posted on this page with a new effective date and, where appropriate, communicated to active customers in writing.
13.Contact / Privacy Officer
To contact our Privacy Officer or to exercise privacy rights, write to [email protected] or Ad Vital, Inc., Attn: Privacy Officer, 1518 Aldrich St, Houston, TX 77055. To file a HIPAA complaint, contact our Privacy Officer or the U.S. Department of Health & Human Services Office for Civil Rights at hhs.gov/ocr.